Twitter

Mastodon

AIM

MSN

ICQ

Yahoo

XMPP / Jabber

Skype

Location

Interests

Tutorial: SSH-Tunneled VPN on Stock Android 0. Notes - no proprietary / commercial apps required. FOSS only! (Free and Open Source Software) - no root / custom ROM required - tested on Android 4.4.4 - minimum requirement: Android 4.x 1. Required apps - OpenVPN for Android - ConnectBot (any advanced SSH client will work, ) - CyanogenMod File Manager (or pick any file manager you like) I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform: https://f-droid.org/ In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings. 2. Generate config files Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android). Only pick one specific server. Screenshot #1: http://i.imgur.com/FWcuXH2.jpg 3. Transfer config files We only need 2 out of the 3 generated files: - sshtunnel.key - the .ovpn profile Screenshot #2: http://i.imgur.com/p2L7T0l.jpg Transfer both of them to your Android's sdcard. Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5. Example: route 199.19.94.12 255.255.255.255 net_gateway That's the IP we will need. 4. Import key file in ConnectBot Launch ConnectBot. Go into menu and "Manage Pubkeys". Screenshot #3: https://i.imgur.com/uGT3UgC.jpg Import the sshtunnel.key file. Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg 5. Configure SSH connection in ConnectBot Go to ConnectBot's main screen. At the bottom of the screen, enter: sshtunnel@199.19.94.12 (Notice, that's the IP we took note of in step 3). Screenshot #5A: http://i.imgur.com/ludTDgv.jpg If the default port 22 is blocked, you can try an alternative port by appending it at the end: sshtunnel@199.19.94.12:80 or sshtunnel@199.19.94.12:53 - Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes". Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg - Cancel the connection, we need to configure it now. Long-press the newly created connection and choose "Edit host". Screenshot #6: https://i.imgur.com/n3OtM2D.jpg - Change "Use pubkey authentication" to "sshtunnel.key". Screenshot #7: https://i.imgur.com/CwfFSoO.jpg - Disable the option "Start shell session" Screenshot #8: https://i.imgur.com/l2niHqG.jpg - Consider enabling the option "Stay connected". 6. Configure SSH port forwarding - Go to ConnectBot's main screen. - Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values: Type: Local Source port: 1412 Destination: 127.0.0.1:2018 Screenshot #9: https://i.imgur.com/TBnsKQx.jpg - Press "Create port forward". Configuration of the SSH connection is now complete. - Go back to ConnectBot's main screen and tap the connection entry to establish a connection. Leave the ConnectBot app using your "home" button. 7. Import OpenVPN config - Launch "OpenVPN for Android" - Tap the folder icon. In the "Open from" dialog, choose "File Manager" Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg - Pick the AirVPN_...SSH-22.ovpn file - OpenVPN will present you with an "import log", tap the "Save" file to accept. - You may want to dive into the new profile's settings, go to "ROUTING" and enable "Use default route". - in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing 8. Start OpenVPN connection - In OpenVPN's main screen, tap the VPN profile to establish the connection. - Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations 9. How to connect / disconnect from now on When establishing a connection, always - start the SSH connection first - then launch OpenVPN When disconnecting, always - disconnect the OpenVPN connection first - then disconnect SSH in ConnectBot 10. Thoughts on reliabilty and firewalling If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often. I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid). AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only. (You have to dive into its settings to enable VPN mode). Finally: Good luck!

Hi I need help getting connected on my iphone with ssl or ssh I have followed the steps on this page https://airvpn.org/ios/ it connects but I dont have access to the net. Im connecting from china so ssl or ssh is needed thanks in advance

Hello. I’m trying to figure out how to import and use SSL or SSH on iOS and Android using the OpenVPN client. I’m not sure what I’m doing wrong but I can’t even get a connection to any server. any ideas on how to get this working?

Hi, I am seeking some help with an issue that I have. I have airvpn set up and install on my ubuntu machine that I am using as a file/media server. I have gotten plex to work remotely perfectly. Before installing airvpn, I would connect to this media server using my windows machine by putting in the domain name that I assigned to the media server into putty on the windows machine and I would connect and do whatever I needed to do via the command line. After installing airvpn and running it on the ubuntu machine (media server) I can no longer connect via putty from the windows machine to the ubuntu machine (media server) Can a staff or admin provide me with some kind of help on this topic so I can fix this issue. Thank you.

Hello! I have been using AirVPN at home like a charm for months now, however when I am on a certain network away from my house I cannot seem to get it to work. When I use all of the non-SSL and SSH protocols, it fails to connect. When I use SSL or SSH I get an error in my logs: "Squid does not support some access protocols. For example, the SSH protocol is currently not supported." How can I fix this so I can use SSL or SSH?

Hi, When I am connected to AirVPN under Linux NetworkManager with OpenVPN configs, attempting to SSH to other Linux clients on the LAN has intermittent 10-20 second lockups. This is not true of Eddie connections under Windows or when not connected to AirVPN. Does anyone know what could be causing this and how to fix it?

Hi all I've noticed a slightly strange effect associated with my new Virgin cable connection which I'm trying to explain. If I connect to Airvpn using the Eddie client from my MacBook, default settings - 443 UDP, I get almost my full connection speed (200mbit). Happy days. However I have just set up my Linux server and if I connect using openvpn from the command line to 443 UDP I get about 10% of my normal speed. About 20mbit. However, if I connect to port 80 through SSH, I get the full 200Mbit again. Exactly the same happens when I connect my openwrt router - 20Mbit through UDP 443. It looks like Virgin are throttling VPN connections, which wouldn't surprise me, and pushing my connection through SSH gets around this. My question is - why is Eddie able to get full speed through UDP 443, whereas my server can't? Is Eddie doing something clever to get around the traffic shaping and if so, can I tweak my openvpn settings to make my server do the same? I'd rather not be pushing everything through SSH if I can avoid it. Anyone got any bright ideas? Thanks R

Hi, First of all, I'm very happy with the service. AirVPN is simply the best VPN service out there and I am glad to have found you! Running AirVPN on my desktop machines (Win, OSX, Linux) works like a charm either with plain OpenVPN or one of your clients. However, I'm not really sure how I can also use your service on my Linux server to which I connect via ssh. The issue is that as soon as I run openvpn with
sudo openvpn --config your_config_file.ovpn
naturally the existing ssh connection - as well as any other means to reach my server - gets interrupted. So my use case is that my server should stay reachable publicly as before, but ideally I would like to open a single shell session that gets routed through your VPN for occasional casual browsing or processes which I prefer to use anonymously.. Can I somehow restrict the VPN to only one process? Do you see any other solution for my use case? Best regards!

Hi all, I have a little problem. I try to tell it with my terrible English. So i like to setup this VPN(airvpn client) >>> SOCKS PROXY>>> Browsers and others, virtual machines etc... (all socks traffic over vpn). The host os is linux.

Hi, I hope somebody can assist. I am trying to setup a ssh tunnel in windows using putty to tunnel specific apps only and not everything as with the vpn. I have downloaded the appropriate config in the config generator and run the batch file. Unfortunately, it just sits on "using username..." in the console and does not do anything after. I can also not connect when setting up my browser proxy to 127.0.0.1:1412 (I have tried different combinations of proxy settings and config files from the generator) I can also not seem to get it to work If i try to set this up manually in putty. https://airvpn.org/ssh/ does not exactly give a detailed description on how to set everything up from end to end. Are there any instructions for this or can anybody assist with some? Thanks in advance.

Hello, I have a question that maybe someone more knowledgeable can answer. I have a computer at home that runs airvpn client and a remote computer. I want to be able to connect from either computer to another one with ssh. Without airvpn client, everything works (obviously). If I run airvpn without network lock, I can ssh from home to remote (it goes via the AirVPN server) but not from remote to home. I tried to start airvpn with the parameter "routes.custom=my.remote.ip.addr,255.255.255.255,out" but it didn't help - the required route was not added to the routing table. However, that problem was easily solved: I added the route separately with "route add -host my.remote.ip.address gw 192.168.1.1" and all was well: ssh works from home to remote and from remote to home bypassing AirVPN as I want it to do. Now, I enable network lock. This time I need to add "allowed IP" parameter to be able to ssh from home to remote: ./airvpn -cli -connect -netlock -login=**** password=**** netlock.allowed_ips=my.remote.ip.addr But ssh from remote to home is blocked by the firewall. I can't find any airvpn parameter that can be used to create custom firewall rules. So I ended up with adding the required rule myself. Before:
# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 177 16717 ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere
3 93 8963 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16
4 26 4651 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8
5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
7 1890 460K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
8 0 0 ACCEPT all -- tun+ any anywhere anywhere
9 6 502 DROP all -- any any anywhere anywhere
Add the rule: iptables -t filter -I INPUT 9 -i eth0 -p tcp -s my.remote.ip.addr --dport 22 -j ACCEPT After:
# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 182 17197 ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT all -- any any 255.255.255.255 anywhere
3 107 10296 ACCEPT all -- any any 192.168.0.0/16 192.168.0.0/16
4 41 6945 ACCEPT all -- any any 10.0.0.0/8 10.0.0.0/8
5 0 0 ACCEPT all -- any any 172.16.0.0/12 172.16.0.0/12
6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
7 1981 480K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
8 0 0 ACCEPT all -- tun+ any anywhere anywhere
9 0 0 ACCEPT tcp -- eth0 any my.remote.ip.addr anywhere tcp dpt:22
10 6 502 DROP all -- any any anywhere anywhere
Now everything works again, but the question remains: what is the best way to achieve that ? In the worst case scenario, I can just start airvpn in the background, wait a minute or so and then run iptables with my additional rule. But that looks ugly. Can anyone think of a better way ? Maybe some "event.session..." or "event.vpn..." parameter will do the trick ? Thanks for any help.

I am running a seedbox (Ubuntu server running Transmission) on a hetzner server and, since I'd like to use it for public as well as private trackers and the host is not friendly with users who receive DMCAs, I'd like the seedbox to use AIRVPN for its connections. The problem is that as soon as I tell AIRVPN to connect, I lost the ability to connect to the server/seebox via SSH or S/FTP- or via remote transmission. The connection simply times out and I have to send a hardware reset signal through my host's control panel to get back into my server/seedbox (fortunately, I did not set AIRVPN to automatically start/connect, since I wanted to confirm that it worked first) . How can I configure AIRVPN to still allow these inbound connections (which will originate from a mobile device and a home, both with dynamic IP addresses)? The server has a static IP address for administrative purposes.

I am trying to use AirVPN to SSH into a computer. How do I do this? I have tried the .sh file I got from the SSH tutorial, but when I try to connect to the computer running it, I can never log in (permission denied). Trying to use OpenVPN as root with the .ovpn file caused errors about not being able to connect.

Hey, I am using airvpn to hide tor usage. Of course I don't want the network that I am using to know I am using a vpn either... Does the ssl/ssh tunnel remedy this or could the isp still figure out im using a vpn? How can I conceal my traffic as best as possible? thanks in advance

So my girlfriend has recently started her masters in Germany, and her internet provided to her flat is from the University. She wanted a VPN and AirVPN seemed to be the most flexible choice, so we started there. Right off the bat, it seemed that the network was blocking all VPN traffic (it was impossible to connect to VPN, or even authenticate credentials while on the university network, but tethered to my phone we could connect to the VPN with no problems). It turned out to be even worse than that: even VPN over SSH is resulting in timeout errors, which seems to imply that the network is specifically blocking connections to AirVPNs hosts, as opposed to just VPN traffic (though I'll be the first to admit I'm relatively new to this and might be misdiagnosing). It turns out that the University actually had her manually set up her network with a self-assigned IP address, gateway, and manually specified DNS servers. I'm sure that's somehow related, but all I could think to try was adding another DNS (which didn't appear to help, but it also seems that the host names are being correctly resolved anyway). Any ideas would be greatly appreciated, I'm rather baffled here.

Hi, Like it says in the documentation, and as is usual, upon the first connection to a ssh server to open a ssh tunnel, the authenticity via the ECDSA key fingerprint is stated. The documentation says to just accept it. But this is dangerous as it allows any intermediate to open a MITM attack. So please compile a list of all servers (with their IPs) and their fingerprints so we can match them on the first connection. Thanks!

Hi, As the title says, I can only connect with the SSH or SSL tunnel. I'm on Windows 10, using the Eddie client, trying to connect to a Dutch server. When I try to connect with UDP over port 443, it times out at the "Checking Route" stage. Honestly, I don't really mind because I tunnel over SSH or SSL anyway, but I'm curious if this is a known issue with a solution. Thanks for any help!

Hi guys My problem is the following: I have port forwarding enabled on my airvpn, and I can ssh without problem with the command ssh -p myport user@myhost.airdns.org from home or from my cellphone. Now the problem is that at work myport is locked by the corporate firewall, and for all I can see all the other useful myports are... Port 22 is instead open... is there a way to go around the firewall? Please let me know. Thanks a lot

I have been up and down old guides to set up my pi to run a seed box, but each source is a little confusing and has a few steps missing/different/outdated. Can anyone please link or type up a proper set up guide to get the Pi on Rasbian set up quickly and painlessly, along with how to auto boot the config with no leaks in plain English? A Linux built client for ARM processors could do wonders in this department. Thank you!

I'm with Virgin Media in the UK, on 160/12 cable. Last year I had a spate of low speed (3MB/sec hard cap) which I initially blamed on throttling of OpenVPN as I could hit full speed on my naked ISP connection. After some investigation I found it was actually a bug in the ISP supplied router, so I switched to my own and the problem went away. Lately however, I'm having a hard speed cap problem and it really looks like issues caused by either VM's use of DPI and/or OpenVPN throttling/shaping at ISP level. VM operate a whitelist for shaping, so unless the protocol is whitelisted it's shaped by default. VM categorically and publicly deny any form of throttling, shaping or interference with OpenVPN connections. I've been using an Ubuntu torrent as a speed benchmark as it's multi-threaded, consistently very fast, and can be used off-VPN without fear of legal issues. I have tested every port and protocol in Eddie, as well as via Viscosity (to rule out Eddie issues). I also tried the same tests with several other well respected VPN providers with good networks and the results were consistent across them all, Air included. Note that I am using MB/sec in its proper format, meaning megabytes per second. 1MB/sec = 8Mbps. All results are for the same Ubuntu 15.04 x64 torrent downloaded in the latest qBittorrent v3.2.3 on Mac OS X (also verified on Linux, PCBSD and Windows 8.1 Pro). As well as checking against multiple VPN companies, multiple OpenVPN software and multiple operating systems, I also reproduced the results on multiple machines (mid 2012 MacBook Pro and my FX8350 / 16GB DDR3 / Samsung Evo 850 sad / Radeon R9 380 gfx desktop). I repeated the tests with several ethernet cables (to rule out cable issues), as well as with *machine* > router > modem and *machine* > modem (to rule out firmware or routing issues). Every time, regardless of the variable, the results below were consistent. ISP : 19MB/sec OpenVPN 53 UDP : 2MB/sec OpenVPN (all other ports in turn) UDP : 5MB/sec OpenVPN (all ports) TCP : 4 - 5 MB/sec OpenVPN + SSH 22 : 2MB/sec OpenVPN + SSH 80 (or 53) : 13 - 18 MB/sec (lower in peak times, high off-peak) OpenVPN + SSL 443 : 13 - 18 MB/sec (lower in peak times, high off-peak) As we can see, generally SSL and SSH masking the OpenVPN connection allows almost full line speed (minus the encryption overheads). That's great. As soon as it's a bare OpenVPN connection the speeds cap out at around 33% of what they should be. Bare OpenVPN TCP is a little slower than UDP (as you'd expect) but otherwise in accordance with the general 5MB/sec cap experienced on UDP. The only exceptions are UDP:53 and SSH:22 which are both heavily restricted to around 2MB/sec. Now to my mind, knowing what I do of VM's shaping and DPI systems, this would only make sense if they were interfering with OpenVPN either by purposefully throttling it, or else their DPI system is messing up the connection. They further seem to restrict SSH:22 and UDP:53 by protocol but not by port. This actually makes sense, as all other Eddie combinations are quite random whereas SSH:22 (SSH) and UDP:53 (DNS) are established network traffic protocols and thus could be singled out for listing in the shaping systems. If we reverse the protocol/port (to give SSH 53 and UDP 22) we once again obfuscate the tunnel and go back to full speeds! I also get a lot of decrypt/replay errors in the logs on every single port for 'normal' OpenVPN. As soon as I hide the OpenVPN in either SSL or SSH the errors simply don't occur. Ever. This suggests that the extra tunnel is hiding the OpenVPN tunnel from being shaped, or else the DPI process in and of itself is breaking OpenVPN and causing the packets to arrive out of order. Maybe that in and of itself can hurt speed? So there you go. Sorry for the long post but it's an interesting (if thoroughly frustrating and annoying) issue. What do you gurus think? Given I have worked to change the variables one at a time to rule out issues with AirVPN (different providers), the router and/or its firmware (direct connection to modem, bypassing router), wireless issues (used ethernet directly) and OS limits or bugs (used multiple OSs) I can't see anything is left... except issues with the ISP shaping/throttling or else their DPI breaking things. I posted a thread very similar to this in VM's support forums, but for a whole week it has gone unanswered by any staff. Interestingly it is the only thread on the forum to have been ignored. Make of that what you wish. I await your replies with interest. Thanks in advance for reading.

Dear AirVpn Forum Members, Since i am using Airvpn in my work, behind work firewall, my firewall blocks ddwrt open vpn connection. But in my computer I can use AirVpn SSH in my work. All i need please make a tutorial, how we setup ssh + openvpn on to DDWRT routers for airvpn. There is SSH service in DDWRT. I need how we configure it. Could you please show me the configuration of SSH + airvpn openvpn settings for ddwrt router? Best regards,

I recently noticed that my openvpn speeds weren't great. It didn't matter whether I was connecting via udp or tcp or a specific port. And so I tried connecting via ssl and ssh tunnels. Both were surprsingly much faster. So, I have two questions, please: 1) Am I correct in my understanding that openvpn via a ssh tunnel is more efficient and generally preferred over openvpn via a ssl tunnel? 2) For openvpn via a ssh tunnel, which port is preferred and recommended? Thanks much for the assistance and advice!